[VIM] Moodle issue - invalid vendor ack? and extra vulns

George A. Theall theall at tenablesecurity.com
Tue Sep 19 20:04:12 EDT 2006

Steven M. Christey wrote:

> But the Moodle changelog for 1.6.2 here:
>   http://docs.moodle.org/en/Release_notes#Moodle_1.6.2
> does not provide sufficient details to match up with the original
> disclosure, 

Are you referring to Omid's posting - 
<http://www.securityfocus.com/archive/1/446227/30/0/threaded>? That was 
indeed fixed in 1.6.2. The problem lies in 'do_save()' in blob/edit.php 
- an authenticated attacker can manipulate database queries via the 
'format' parameter of the script. With the help of some debugging 
statements I added, I could see that the supplied value was being passed 
to '_adodb_column_sql()' in 'lib/adodb/adodb-lib.inc.php' with 'type' 
equal to 'I', and in 1.6.1, the value was used as-is, without being 
restricted to an int.

> It also mentions other security issues, but most of the items are
> terse and some might be enhancements instead of vulns.
> Has anybody investigated further?

The 'course/jumpto.php' issue exists too. It might be possible to 
leverage that to conduct XSS attacks against an install, but I'm not sure.

theall at tenablesecurity.com

More information about the VIM mailing list